Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xcmc3LWhmeDctOTVjNc4AAxJC
Command injection in Git package in Wrangler
Impact
A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including v1.0.0.
Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.
Workarounds
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
Patches
Patched versions include v1.0.1 and later and the backported tags - v0.7.4-security1, v0.8.5-security1 and v0.8.11.
For more information
If you have any questions or comments about this advisory:
- Reach out to SUSE Rancher Security team for security related inquiries.
- Open an issue in Rancher or Wrangler repository.
- Verify our support matrix and product support lifecycle.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcmc3LWhmeDctOTVjNc4AAxJC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-qrg7-hfx7-95c5, CVE-2022-31249
References:
- https://github.com/rancher/wrangler/security/advisories/GHSA-qrg7-hfx7-95c5
- https://nvd.nist.gov/vuln/detail/CVE-2022-31249
- https://bugzilla.suse.com/show_bug.cgi?id=1200299
- https://pkg.go.dev/vuln/GO-2023-1519
- https://github.com/rancher/wrangler/commit/12397eec50155cb2d24aa70bdf9e90c5f3b9a727
- https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287
- https://github.com/rancher/wrangler/commit/5a387e13e8d51e3340d9e5012a1951f0cca5fc90
- https://github.com/rancher/wrangler/commit/8649ecc062204f28764fd80157a621cbae89c9cf
- https://github.com/rancher/wrangler/compare/v0.7.2...v0.7.4-security1
- https://github.com/rancher/wrangler/compare/v0.8.4...v0.8.5-security1
- https://github.com/advisories/GHSA-qrg7-hfx7-95c5
Blast Radius: 20.3
Affected Packages
go:github.com/rancher/wrangler
Dependent packages: 566Dependent repositories: 510
Downloads:
Affected Version Ranges: >= 0.8.0, < 0.8.5-security1, < 0.7.4-security1, = 1.0.0, >= 0.8.6, < 0.8.11
Fixed in: 0.8.5-security1, 0.7.4-security1, 1.0.1, 0.8.11
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 1.0.0
All unaffected versions: 0.7.5, 0.8.5, 0.8.11, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2